Slashdot Mirror
A New Wi-Fi Exploit, Limited But Clever
eggboard writes "Martin Beck, who in 2008 co-wrote a paper describing a way to inject packets into a secured Wi-Fi system, is back with a more extensive exploit. His 'Enhanced TKIP Michael Attacks' still don't allow extraction of a key, and are limited to TKIP (not AES-CCMP) WPA-protected networks. Still, he's figured out how to put in large payloads, and to extract data sent from an access point to a client — all without cracking the network key. The attack requires proximity to sniff and inject data, but it's another crack in the older key standard (TKIP) that no one with serious security interests should still be using." Here is Beck's paper (PDF) describing the new attacks.
That's what I always do.
Since I have an unnatural fear of vowels I'm waiting for a protocol who's acronym is constructed solely of consonants.
From TFA:
As with the previous attack, a lot of stars have to be in alignment. The biggest requirement is that TKIP has be the key type, not AES-CCMP. An attacker has to be proximate to sniff traffic and inject packets. The router has to be running Linux, like many Wi-Fi routers do. The router doesn't need to be compromised; there's a particular Wi-Fi packet sequence that's more predictable, and thus easier to use in the attack. Network QoS (802.11e/WMM) needs to be enabled as well.
I do this at home (do not broadcast SSID, MAC address filter, etc.). But, it's just on principle, I have nothing to hide. However if I've wasted 10 minutes of your time getting on my network and another 30 minutes snooping around admiring my MP3 collection, it's worth it.
That is poor advice because all it does is create the illusion of security. Actually good advice would be "just use wpa2, or wpa-aes". If you use proper security with your wifi network then there is no need for child's play games like that.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
How exactly? Using exploits in non-deprecated wireless security is far more technically involved than running some script kiddie application which will list all wi-fi networks in range, SSID broadcasting or not, and also the mac address of clients on those networks automagically, as well as crack obsolete security like WEP.
So really, anyone who could even think about cracking a WPA or RADIUS network, which would take quite a bit of time and effort and probably days of information gathering to achieve in practice, would find such measures trivial to break.
However, these measures still lower the supportability of your network, which means they would be very costly for something useless. And even worse, because users who had issues with say, your MAC address filter, might not know how to fix them, they might do something stupid to their machine which actually has the net effect of making your network LESS secure. Fun.
Using WPA or MAC address filters would be like arguing that putting a thumbtack on the floor outside a fortress enhances it's security. Objectively undeniable, but still laughable. Sure it will help keep stupid little kids out of your fortress, but those are not the type of people who could never get past the giant walls, moats, archers, etc your actual fortress security employs. On the other hand, this tack, not being in the fortress standards, might actually manage to make miserable the life of a well intentioned, if stupid, servant, guard, etc.
TKIP and CCMP are both vulnerable to cracking still. People can go in, wait, deauth you, steal your 4-way handshake, and dump the file on a computer or cluster, and have your password quickly.
How about ethernet? No? Well, make sure it's WPA2 Enterprise with a very long password, hidden, etc.
Hiding your SSID can actually be detrimental...
If your SSID is open, then your machine can see its broadcasts and connect to it... If the SSID is hidden, then your machine has to probe for it by name.. Meaning that if your machine is away from its usual location, you can see what network its looking for...
If the SSID is hidden, then someone trying to break into it just needs to sniff traffic for a while to get the SSID anyway.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
if you need really good security in your wireless, JUST LEAVE IT OPEN. ;)
And use a vpn of course
ipsec is widely supported, but openvpn is a good choice too.
secure, encrypted, configurable, and with YEARS of testing behind!
I've never really understood this attitude. I feel that one needs to be aware of security theatre, or security kabuki -- things that make you feel safer but don't actually make you safer. There are two possibilities for an attacker: an idiot, or, someone very capable.
While it's true that a non-broadcast SSID might stop an idiot, ditto for locking down MAC addresses, you can extract both of these (completely unencrypted) from the packet stream. Any modestly competent attacker can do this quite quickly.
But locking down MAC addresses and turning off SSID broadcasting increases the tedium of administration while making no real difference to a hacker. Like the TSA, it's security kabuki in my view.
In general, I don't find my security enhanced by assuming that the attacker is a clueless moron. If that were the case, then Windows 98 coupled with digital hashes checked against all files would be a secure OS.
The one argument I think you could come up with is that if you enable all security features in a disciplined manner then that's just good practice. Maybe. I still think it smacks of a bit of security theatre.
Annoyingly, I can think of two devices that can't cope without TKIP under WPA2. The older Apple Airport Express and a Linksys wireless bridge.
Without TKIP, these two devices have effectively become expensive (when they were purchased, at least) door stops. It's aggravating, because they both advertised support for WPA2-AES!
Re: wi-fi security, what's to stop someone from creating a hotspot with the same SSID and just wait for the user to provide their credentials when they try to re-login? The average user will probably just go ahead and re-enter their password. No need for breaking any encryption, just a bit of social engineering.
Actually, I'd suggest to use both. If one fails, you still have the other.
Error: password can't contain reverse spelling of ancient Chinese emperor
It seems that you assumed that I wouldn't suggest first to use wpa2, etc. Seeing as the article is about cracking advanced encryption, I would hope that this is already in place. Poor advice? I think not. It adds additional roadblocks. I also said that it 'helps'. Not that it's a foolproof plan. It just makes it more of a pain to break in. For example, using a MAC address filter would mean that they would have to spoof a MAC address that you have whitelisted. This requires additional effort and information gathering. Using a SSID that is not broadcasted, and also not easily guessable (not a dictionary word, and a certain length, etc), makes it harder for SSID crackers to pick it up as well. You may be happy with just using strong encryption, but I very much prefer enabling these additional security features to harden it even further, even if it is just a little bit further.
Mod parent up, it's amazing how little-known these facts are about SSID hiding. I proudly broadcast my SSID: "iWatchYouSleep"
SSID broadcast and mac address filter do nothing to stop hackers, unfortunately.
When the MAC filter fails, you still have the other. If WPA2 fails, you have nothing, because the MAC filter is effectively worthless.
Not a sentence!
You think that someone who can crack WPA or WPA2 isn't going to know how to spoof their mac address? And hiding your SSID literally does nothing when they're listening for individual packets, not listening for your router to announce itself.
Not broadcasting is even more dangerous, as someone can set up a network with the same ID that does broadcast, and potentially capture your traffic without your knowledge.
Really? I don't think anybody else would choose "Linksys" as an SSID, would they?
Anyone who cracks your WPA already has the technical knowledge and sniffed packets needed to spoof a MAC address and connect without the SSID.
Really? I don't think anybody else would choose "Linksys" as an SSID, would they?
Maybe if they had a D-Link router they might.
So, no problem if someone installs a proxy on your machine & uses it to surf child porn? I'm sure that it won't take long or have any impact on your reputation for you to explain to the nice law enforcement agents that it wasn't really you doing that sort of thing.
Never interrupt your enemy when he's making a mistake.
- Napolean Bonaparte (1769 - 1821)
~hylas
It seems that you assumed that I wouldn't suggest first to use wpa2, etc. Seeing as the article is about cracking advanced encryption, I would hope that this is already in place. Poor advice? I think not. It adds additional roadblocks. I also said that it 'helps'. Not that it's a foolproof plan. It just makes it more of a pain to break in.
For example, using a MAC address filter would mean that they would have to spoof a MAC address that you have whitelisted. This requires additional effort and information gathering.
Using a SSID that is not broadcasted, and also not easily guessable (not a dictionary word, and a certain length, etc), makes it harder for SSID crackers to pick it up as well.
You may be happy with just using strong encryption, but I very much prefer enabling these additional security features to harden it even further, even if it is just a little bit further.
I will second what the other two people replying to you have said :
#1) SSID just requires a single deauth to any client. This literally takes 2 seconds to do.
#2) Your clients are broadcasting their MAC addresses in the clear, and it's a fair assumption that any associated client is on your MAC whitelist... Anyone hacking your wireless network is literally staring at these MACS (and probably continuously typing them back into the console).
Anyone with the technical sophistication to go after WPA already knows this (and can bypass both your MAC and SSID measures in LITERALLY 10 seconds)
If enabling these two features makes you FEEL safer then by all means keep them on. But they offer NO additional protection (not even a teeny tiny bit), and are probably a bit of a hassle for you
- Have to add each legit client to MAC table
- Some clients barf on the hidden SSID
Your ONLY effective consumer-level protection at the moment is to pick a completely random long WPA PSK! (even then, there are a few attacks that allow a hacker to decypt WPA packets without knowing the key)
The likelihood of someone bothering to bypass my home MAC filter is similar to winning the lottery or being burglarized.
What exactly do you think the likelyhood of someone cracking a WPA2 network is? If someone is actually able to get through WPA2, they won't even blink at MAC filtering. Well, maybe they'll laugh..
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I should also point out that if that were true, at least 3 of my neighbours should have won the lottery by now...
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Near zero? The likelihood of someone living anywhere close to me that has both the desire and knowledge to get into my minimally secure network is similar to the likelihood that an extremely hot girl will approach me and give me her number.
Think again. Near zero is an over-estimation. Unless you live nextdoor to the NSA*, and they happen to need free wifi, then there is absolutely no reason that you need anything more than WPA2. All you are doing is wasting your own time. Nobody elses.
*Not like MAC filtering would faze the NSA in the slightest...
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
99% of fixing your security isn't about being secure: it is about being less enticing than the next-door neighbour's network.
Read up on kismet.
It's also fun to see SSIDs with "Pirate" or "Hacker" in the names..."There be Monsters this way". It frightens the peasants.
Of course, it's entertaining to deploy some honeypots.
Your point?
Another better known fact: Some implementations of 802.11 suck
Actually, broadcasting your SSID can stop (some) hackers. Especially if you choose one like "NSA Honeypot".
I'm making that my next SSID. Kudos to you, good sir.